Don't Build Authentication. Use Auth0!
One of the early talking points in the debate between Django vs Rails concerned authentication. Django had one built in and Rails didn't. DHH, in response, demonstrated that creating one was easy enough. 2004 was a different time.
The lifecycle of authentication in 2004
- emit a form taking username and password
- verify the password for that user
- create an authenticated session (usually with a cookie and key-value store)
Things are looking very different in today's world.
Cookie-based sessions only make sense on websites. Modern web applications have more than one front-end. At minimum, there's web, iOS, Android, and is expanding into TVs, drones, and networked devices.
Each entry point needs to be secured with time and resources. Enterprise companies may have more complex access control requirements concerning what clients can access API resources.
Don't forget that you also need password recovery and email verification. Multiply the complexity if you also intend on adding OAuth for popular services, such as Facebook and Google.
In 2004, a username and password were all you needed. These days, I get regularly asked about more secure login protocols, such as passwordless with a phone, 2fA, and SAML.
SAML, specifically, is a big one. It's a protocol for allowing your cloud-based application to defer identity management to a third party provider, such as Onelogin or Okta.
As companies embrace the Cloud, they are increasingly using such systems for managing employee access to their software accounts. If you are targetting medium to large organizations with your SASS, you need to support SAML.
By using Auth0, you get support or SAML out of the box. A single engineer could add the changes you need to get your Auth0 powered app working with SAML in 1-2 weeks. It could take months to augment your custom authentication system. Don't forget that you also need to test and maintain all of that code as well.
Authentication is not a feature. It's a boring but infuriatingly necessary dependency that at its core needs to be reliable and secure.
I used to waste time building authentication until I gave up and just started dropping Auth0 into every project. It lets me start building client specific features on day one.
When you're building MVPs, this is especially important. Writing your own auth is a waste of time. Even with my Elixir projects, where there isn't a drop-in Auth0 solution, I am building my own Auth0 integration so I won't need to worry about supporting SAML or additional OAuth providers. I can focus on the features that make my clients happy.
